The General Data Protection Regulation (GDPR) has caused many organisations powered by data to seriously rethink their data security strategy; yet more are stalling, uncertain of how the regulations apply to businesses outside of the EU, especially British companies facing the added complication of a possible exit from Europe. But due to the scope of the regulation and heavy penalties that will be applied, this approach is highly flawed and risky. Let’s look at some of the points critical to GDPR that mean UK businesses cannot afford to wait:
Failure to comply with certain aspects of GDPR could result in fines in excess of €20 million. Take the still prominent Talk Talk case from October 2015 as an example, their preliminary results show that pre-tax profits have more than halved compared to last year, mostly it seems due to £40-£45million of “exceptional costs” as a result of the breach. In addition they have lost around 160,000 retail customers which amounts to 3% of its customer base. Under GDPR the Information Commissioner’s Office (ICO) could have fined Talk Talk up to 4% of global turnover, adding tens of millions of pounds on top of these already significant expenses, and launched an investigation into criminal liability. That Talk Talk believed their “systems were as secure as they could be” must now seem an expensive miscalculation. Around the world senior executives urgently need to anticipate how dramatically GDPR changes the way their organisation must protect sensitive and private data, and British businesses should see the EU referendum as no reason to delay. Don’t make the monumental miscalculation other companies have made, start now to avoid the risks associated with rushing change – identify key stakeholders and their responsibilities and make a clear, coherent plan for GDPR compliance that seeks to avoid impacting processing or analysis. Act now to protect data; as one of the most valuable, competitive assets an organisation has, is it worth the risk not to?